Configure mail flow and client access

Applies to: Exchange Server 2013

Topic Last Modified: 2013-03-20

After you've installed Microsoft Exchange Server 2013 in your organization, you need to configure Exchange Server 2013 for mail flow and client access. Without these additional steps, you won't be able to send mail to the Internet and external clients such as Microsoft Office Outlook and Exchange ActiveSync devices won't be able to connect to your Exchange organization.

The steps in this topic assume a basic Exchange deployment with a single Active Directory site and a single simple mail transport protocol (SMTP) namespace.

Important:

This topic uses example values such as Ex2013CAS, contoso.com, mail.contoso.com, and 172.16.10.11. Replace the example values with the server names, FQDNs, and IP addresses for your organization.

Procedures in this topic require specific permissions. See each procedure for its permissions information.

You might receive certificate warnings when you connect to the Exchange admin center (EAC) website until you configure a secure sockets layer (SSL) certificate on the Client Access server. You'll be shown how to do this later in this topic.

Each organization requires at a minimum one Client Access server and one Mailbox server in the Active Directory forest. Additionally, each Active Directory site that contains a Mailbox server must also contain at least one Client Access server. If you're separating your server roles, we recommend installing the Mailbox server role first.

In the New send connector wizard, specify a name for the Send connector and then select Internet. Click Next.

Verify that MX record associated with recipient domain is selected. Click Next.

Under Address space, click Add . In the Add domain window, make sure SMTP is selected in the Type field. In the Fully Qualified Domain Name (FQDN) field, enter *. Click Save.

Make sure Scoped send connector isn't selected and then click Next.

Under Source server, click Add . In the Select a Server window, select a Mailbox server. After you've selected the server, click Add and then click OK.

Click Finish.

Note:

A default inbound Receive connector is created when Exchange 2013 is installed. This Receive connector accepts anonymous SMTP connections from external servers. You don't need to do any additional configuration if this is the functionality you want. If you want to restrict inbound connections from external servers, modify the Default Frontend <Client Access server> Receive connector on the Client Access server.

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Accepted domains" entry in the Mail flow permissions topic.

By default, when you deploy a new Exchange 2013 organization in an Active Directory forest, Exchange uses the domain name of the Active Directory domain where Setup /PrepareAD was run. If you want recipients to receive and send messages to and from another domain, you must add the domain as an accepted domain. This domain is also added as the primary SMTP address on the default email address policy in the next step.

Important:

A public Domain Name System (DNS) MX resource record is required for each SMTP domain for which you accept email from the Internet. Each MX record should resolve to the Internet-facing server that receives email for your organization.

Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.

Enter your user name and password in Domain\user name and Password and then click Sign in.

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Email address policies" entry in the Email address and address book permissions topic.

If you added an accepted domain in the previous step and you want that domain to be added to every recipient in the organization, you need to update the default email address policy.

Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.

Enter your user name and password in Domain\user name and Password and then click Sign in.

Under Email address format, click the SMTP address you want to change and then click Edit .

On the Email address format page in the Email address parameters field, specify the SMTP recipient domain you want to apply to all recipients in the Exchange organization. This domain must match the accepted domain you added in the previous step. For example, @contoso.com. Click Save.

Click Save

In the Default Policy details pane, click Apply.

Note:

We recommend that you configure a user principal name (UPN) that matches the primary email address of each user. If you don't provide a UPN that matches the email address of a user, the user will be required to manually provide their domain\user name or UPN in addition to their email address. If their UPN matches their email address, Outlook Web App, ActiveSync, and Outlook will automatically match their email address to their UPN.

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "<Service> virtual directory settings" entry in the Clients and mobile devices permissions topic.

Before clients can connect to your new server from the Internet, you need to configure the external domains, or URLs, on the Client Access server's virtual directories and then configure your public domain name service (DNS) records. The steps below configure the same external domain on the external URL of each virtual directory. If you want to configure different external domains on one or more virtual directory external URLs, you need to configure the external URLs manually. For more information, see Virtual directory management.

Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.

Enter your user name and password in Domain\user name and Password and then click Sign in.

Go to Servers > Servers, select the name of the Internet-facing Client Access server and then click Edit .

Click Outlook Anywhere.

In the Specify the external hostname field, specify the externally accessible FQDN of the Client Access server. For example, mail.contoso.com.

While you’re here, let’s also set the internally accessible FQDN of the Client Access server. In the Specify the internal hostname field, insert the FQDN you used in the previous step. For example, mail.contoso.com.

Under Select the Client Access servers to use with the external URL, click Add

Select the Client Access servers you want to configure and then click Add. After you’ve added all of the Client Access servers you want to configure, click OK.

In Enter the domain name you will use with your external Client Access servers, type the external domain you want to apply. For example, mail.contoso.com. Click Save.

Note:

Some organizations make the Outlook Web App FQDN unique to protect users against changes to underlying server FQDN changes. Many organizations use owa.contoso.com for their Outlook Web App FQDN instead of mail.contoso.com. If you want to configure a unique Outlook Web App FQDN, do the following after you completed the previous step. This checklist assumes you have configured a unique Outlook Web App FQDN.

Select owa (Default Web Site) and click Edit.

In External URL, type https://, then the unique Outlook Web App FQDN you want to use, and then append /owa. For example, https://owa.contoso.com/owa.

Click Save.

Select ecp (Default Web Site) and click Edit.

In External URL, type https://, then the same Outlook Web App FQDN that you specified in the previous step, and then append /ecp. For example, https://owa.contoso.com/ecp.

Click Save.

After you've configured the external URL on the Client Access server virtual directories, you need to configure your public DNS records for Autodiscover, Outlook Web App, and mail flow. The public DNS records should point to the external IP address or FQDN of your Internet-facing Client Access server and use the externally accessible FQDNs that you've configured on your Client Access server. The following are examples of recommended DNS records that you should create to enable mail flow and external client connectivity.

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "<Service> virtual directory settings" entry in the Clients and mobile devices permissions topic.

Before clients can connect to your new server from yourintranet, you need to configure the internal domains, or URLs, on the Client Access server’s virtual directories and then configure your private domain name service (DNS) records.

The procedure below lets you choose whether you want users to use the same URL on your intranet and on the Internet to access your Exchange server or whether they should use a different URL. What you choose depends on the addressing scheme you have in place already or that you want to implement. If you’re implementing a new addressing scheme, we recommend that you use the same URL for both internal and external URLs. Using the same URL makes it easier for users to access your Exchange server because they only have to remember one address. Regardless of the choice you make, you need to make sure you configure a private DNS zone for the address space you configure. For more information about administering DNS zones, see Administering DNS Server.

After you've configured the internal URL on the Client Access server virtual directories, you need to configure your private DNS records for Outlook Web App, and other connectivity. Depending on your configuration, you’ll need to configure your private DNS records to point to the internal or external IP address or fully qualified domain name (FQDN) of your Client Access server. The following are examples of recommended DNS records that you should create to enable internal client connectivity.

In Internal URL, replace the host name between https:// and the first forward slash (/ ) with the new FQDN you want to use. For example, if you want to change the EWS virtual directory FQDN from Ex2013CAS.corp.contoso.com to internal.contoso.com, change the internal URL from https://Ex2013CAS.corp.contoso.com/ews/exchange.asmx to https://internal.contoso.com/ews/exchange.asmx.

Click Save.

Repeat steps 5 and 6 for each virtual directory you want to change.

Note:

The ECP and OWA virtual directory internal URLs must be the same.
You can’t set an internal URL on the Autodiscover virtual directory.

After you've configured the internal URL on the Client Access server virtual directories, you need to configure your private DNS records for Outlook Web App, and other connectivity. Depending on your configuration, you’ll need to configure your private DNS records to point to the internal or external IP address or FQDN of your Client Access server. The following is an example of recommended DNS record that you should create to enable internal client connectivity if you’ve configured your virtual directory internal URLs to use internal.contoso.com.

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Certificate management" entry in the Mail flow permissions topic.

Some services, such as Outlook Anywhere and Exchange ActiveSync, require certificates to be configured on your Exchange 2013 server. The following steps show you how to configure an SSL certificate from a third-party certificate authority (CA):

Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.

Enter your user name and password in Domain\user name and Password and then click Sign in.

Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New .

In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.

Specify a name for this certificate and then click Next.

If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don't want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.

Click Browse and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Client Access server. Click Next.

For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:

If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the Intranet) should show owa.contoso.com. OAB (when accessed from the Internet) and OAB (when accessed from the Intranet) should show mail.contoso.com.

If you configured the internal URLs to be internal.contoso.com, Outlook Web App (when accessed from the Internet) should show owa.contoso.com and Outlook Web App (when accessed from the Intranet) should show internal.contoso.com.

These domains will be used to create the SSL certificate request. Click Next.

Add any additional domains you want included on the SSL certificate.

Select the domain that you want to be the common name for the certificate, and then click Set as common name. For example, contoso.com. Click Next.

Provide information about your organization. This information will be included with the SSL certificate. Click Next.

Specify the network location where you want this certificate request to be saved. Click Finish.

After you've saved the certificate request, submit the request to your certificate authority (CA). This can be an internal CA or a third-party CA, depending on your organization. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:

On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.

In the certificate request details pane, click Complete under Status.

On the complete pending request page, specify the path to the SSL certificate file and then click OK.

Select the new certificate you just added, and then click Edit .

On the certificate page, click Services.

Select the services you want to assign to this certificate. At minimum, you should select SMTP and IIS. Click Save.

If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.